App Privacy Issues Deeply Troubling

The recent revelations that some iPhone and Android apps are uploading and storing users’ phone address books without permission is very troubling. It not only violates the privacy of the person using the phone but, potentially, everyone in that person’s address book.

What bothers me is that we need to worry not only about big companies like Apple being careful with our data but also about the app developers on its platforms. The same goes for other mobile platforms like Android, as well as social networking platforms, like Facebook, that also host third party apps.

When you add them up, there are already probably more than a million iOS, Android and Facebook apps from a countless number of developers that could access personal information, so there is plenty of reason to worry about both deliberate misuse of our data as well as accidental disclosure.

This is a very serious issue. Misuse of the information in people’s mobile phone address books could jeopardize their privacy and safety and reveal trade secrets related to their business or profession.

The latest flap started Feb. 8, when Singapore-based software developer Arun Thampi blogged that he discovered that an iPhone app from Path uploaded his entire iPhone address book to its servers without asking for permission. Path is a social journal app that lets you share experiences with friends.

Path CEO Dave Morin wrote on his company’s blog that “the use of this information is limited to improving the quality of friend suggestions when you use the ‘Add Friends’ feature and to notify you when one of your contacts joins Path,” but admitted that “we now understand that the way we had designed our ‘Add Friends’ feature was wrong.” The company has since modified the app so that it now asks permission before uploading any user data.

Others too

It turns out that Path is not alone. The Next Web blog reported that Foursquare “was uploading all of the e-mail addresses and phone numbers in your address book with no warning and no explicit consent given,” and apps from Twitter and Facebook were also uploading address book information, after asking or warning users. A Twitter representative told the Los Angeles Times that “after mobile users tap the ‘Find friends’ feature on its smartphone app, the company downloads users’ entire address book, including email addresses and phone numbers, and keeps the data on its servers for 18 months.”

The practice appears to be pretty common. After a “quick survey,” blogger Dustin Curtis wrote that 13 out of 15 developers of iOS apps with a ‘find friends’ feature disclosed that they too had uploaded user contacts. “One company’s database,” Curtis wrote, “has Mark Zuckerberg’s cellphone number, Larry Ellison’s home phone number and Bill Gates’ cellphone number.”

Congress getting involved

Even though it violates the company’s rules, Apple apparently didn’t take steps to prevent it until after CEO Tim Cook was sent a letter from Reps. Henry Waxman, D-Los Angeles, and G.K. Butterfield, D-North Carolina, that questioned “whether Apple’s iOS app developer policies and practices may fall short when it comes to protecting the information of iPhone users and their contacts.”

Apple followed up with a statement that “apps that collect or transmit a user’s contact data without their prior permission are in violation of our guidelines,” and said “any app wishing to access contact data will require explicit user approval in a future software release.”

Are guidelines enough?

This is not the first time Apple has slipped when it comes to protecting user privacy on its iOS devices. Last April it was disclosed that Apple itself was uploading a log of Wi-Fi hotspots and cell towers around the location of users’ iPhones. Late Apple CEO Steve Jobs at the time told All Things Digital that the inability of users to turn off location services was due to a “bug that we found,” which the company later fixed.

As troubling as it was that Apple was inadvertently storing user location data, I’m more disturbed by the current revelations because it involves independent app developers who aren’t necessarily as accountable as Apple.

Even if we assume that all the reputable companies that have been accused of uploading users’ address books — Path, Instagram, Facebook, Twitter, Voxer and Foursquare — are well meaning, I can’t say that for every app developer who might have also access to this type of information.

I’m not just worried about iOS devices. I worry about other mobile platforms, including Android and I also worry about social networking sites — including Facebook and Twitter — that support third party apps.

Facebook, for example, has strict guidelines that require app developers to ask permission before accessing or sharing any user information and allows them to collect only the user data that they need to perform their stated tasks. That’s all well and good, but with hundreds of thousands of apps out there from a countless number of developers, there is reason to fear that some might ignore or violate the rules or accidentally leak user data.

Beware of giving permission

To be fair, it’s important to distinguish between apps that upload user data without permission and those that either inform or ask permission. Still, I’m guessing that a lot of users give permission without giving it a lot of thought. I once accidentally give permission for a social networking site (which is no longer in business) to access my Gmail address book and it then spammed all of my friends with requests to join. It was an embarrassing moment.